VULNERABILITY AND THREAT MANAGEMENT POLICY

OVERVIEW

Kredit Financial Inc. (Kredit) is committed to a secure information technology environment in support of its mission and recognizes the need to identify and manage security threats and vulnerabilities. Kredit makes informed decisions about managing security risks by gathering risk data from multiple sources including its own efforts as a source of risk information.

DEFINITIONS

• Threat: Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, or individuals through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service.

• Vulnerability: Any weakness in an information system, system procedures, internal controls, or implementation that can be exploited or triggered by a threat source.

• Vulnerability Scanning: A technique used to identify devices, device attributes, and associated vulnerabilities.

• Vulnerability Analysis: Systematic examination of an information system or product to determine the adequacy of security measures, identify security deficiencies, provide data from which to predict the effectiveness of proposed security measures, and confirm the adequacy of such measures after implementation.

• Penetration Testing: Security testing in which evaluators mimic real-world attacks in an attempt to identify ways to circumvent the security features of an application, system, or network, often involving issuing real attacks on real systems and data, using the same tools and techniques used by actual attackers. A penetration test differs from a vulnerability scan in that a penetration test is an active process that may include exploiting identified vulnerabilities. Conducting a vulnerability scan may be one of the first steps a penetration tester will perform in order to plan the testing strategy, although it is not the only step. Even if a vulnerability scan does not detect known vulnerabilities, the penetration tester will often gain enough knowledge about the system to identify possible security gaps.

• Patch Management: The systematic notification, identification, deployment, installation, and verification of operating system and application software code revisions.

• Threat Intelligence: The aggregation of knowledge about prominent and emerging security exploits that can be used to inform decisions about how to expand and improve SGU’s overall security program.

• Indicators of Compromise (IOC): Artifacts that are observed on a network or in an operating system that increases confidence that the network or system has been compromised by a threat actor. These include virus signatures and Internet Protocol (IP) addresses, MD5 message-digest algorithm hashes of malware files or Uniform Resource Locators (URL) or domain names of botnet command and control servers.

• Cardholder Data Environment (CDE): A computer system or networked group of IT systems that processes, stores and/or transmits cardholder data or sensitive payment authentication data. A CDE also includes any component that directly connects to or supports this environment.

PURPOSE

This Policy and Procedure (PnP) has been created to outline the requirements for identification, assessment, and mitigation of threats to the Kredit’s systems, and vulnerabilities within those systems.

POLICY

It is the policy of Kredit to perform vulnerability scanning and assessment, patch management, and threat intelligence gathering on a regular and on-going basis.

SCOPE

This PnP is applicable to all Kredit systems, data, and environments.

ROLES AND RESPONSIBILITIES

Kredit’s Chief Technology Officer (CTO) is responsible for coordinating vulnerability management efforts, including vulnerability scanning, penetration testing, critically assessing threat intelligence efforts, and monitoring of global services and forums who provide updates on prominent and growing security threats.

Kredit’s Chief Compliance Officer (CCO) is responsible for ensuring this PnP is reviewed on an annual basis.

PROCEDURE

VULNERABILITY SCANNING

The CTO performs vulnerability scans at a minimum of every six (6) months or after any significant infrastructure or network change in order to identify security gaps. These scans will report on any identified vulnerabilities and assign them a severity level of 1-5 (5 being the most severe). Based on the reported severity levels and knowledge of Kredit’s technological environment, the CTO prioritizes the remediation of the identified vulnerabilities and ensures appropriate remediation is employed to close the identified gaps. For identified vulnerabilities that cannot be remediated, the CTO shall also determine options to mitigate the associated risk.

PENETRATION TESTING

Kredit utilizes an outside service provider to conduct external penetration testing on a quarterly basis or after any significant infrastructure or network changes (such as an operating system upgrade or a sub-network added to the environment). Based on the reported severity levels and knowledge of Kredit’s technological environment, the CTO prioritizes the remediation of the identified vulnerabilities and ensures appropriate remediation is employed to close the identified gaps. For identified vulnerabilities that cannot be remediated, the CTO shall also determine options to mitigate the associated risk.

PATCH MANAGEMENT

The CTO shall regularly apply patches to systems with the most critical vulnerabilities to mitigate the threat of exploitation. Information for all applied patches shall be tracked, including patch version, patched devices, and the date and time of patching.

INTRUSTION DETECTION

Kredit utilizes the AWS GuardDuty product, which continuously monitors and analyzes various AWS data sources. It uses threat intelligence feeds, such as lists of malicious IP addresses and domains, and machine learning to identify unexpected and potentially unauthorized and malicious activity within the Kredit AWS environment.

THREAT INTELLIGENCE

Kredit leverages a variety of sources for threat intelligence gathering and monitors information from threat intel forums and communities available on the internet. Gathered threat intelligence highlights commonly targeted devices and newly discovered Indicator of Compromises (IOCs). The gathered intelligence is used to inform security monitoring activities.

COMMUNICATION

This PnP shall be communicated to all affected employees via email and maintained in the Policies folder, sub-folder Information Security on Google Drive for reference purposes.

VIOLATIONS

Failure to comply with this PnP may result in unauthorized access to Kredit’s network, the network being infected by a virus or malware, or a data breach.

CHANGE SUMMARY

Purpose: Internal Policy

Category: Information Security Policy

Policy Name: Vulnerability and Threat Management